Thoughts on Training and CCO Certifications
So there I was the other day, talking with a compliance officer who helps with training at a large global corporation. We were chatting about a fairly common question in the field: should companies allow people to test out of compliance training if they already know the subject matter?
That’s a complicated question unto itself, with lots of nuance that compliance officers need to consider. The more we spoke, however, the more we wandered into deeper issues about certifying the effectiveness of your compliance programs — issues that every compliance officer needs to consider. Hear us out, please.
Let’s start with testing out of compliance training first. This question originally came up during a webinar I hosted on compliance training last month. Participants had mixed feelings about this idea. Most were comfortable with allowing third parties to test out of compliance training, under the assumption that those outsiders had already received compliance training from their own employers or other clients. Fewer were comfortable with extending that policy to their own employees, although some were.
Now let me put a more personal spin on the question: several years ago, I tested myself out of compliance training.
I was working for a publicly traded company that required all employees to take annual online FCPA training, which ended with a 10-question multiple choice test; you needed to get at least seven questions correct to pass. At this point in my career I’d been writing about FCPA compliance for more than a decade, so I skipped the training material and went straight to the test. I nailed nine of the ten questions, the system logged my training as complete, and I proceeded with my day.
For a long time I assumed there was no harm in that; now I’m not so sure. Because if the whole point of training is to engage the employee with the material, so the employee knows how to go about his or her job correctly — that might not happen when you allow someone to test out.
As I thought about my own case, for example, I realized that the 10-question test was all about the FCPA’s requirements, not about my company’s specific anti-bribery policies and procedures. The questions on the test asked me to consider generic examples of bribery. They didn’t ask, say, whether covering a $1,000 dinner with a government official would violate company policy, or what to do if the official suddenly stiffed me for the bill.
Put another way: my FCPA training course focused on the law, rather than on my role.
That’s something compliance officers should consider before agreeing to let anyone, third party or employee, test out of compliance training. It’s easy to pass a test about what the FCPA says, because it says the same thing for all people. It’s much harder to pass a test about how your specific company handles FCPA compliance — and yet, that’s what your compliance training should be about.
So if employees and third parties are testing out of your compliance training material with flying colors, is that because they know your compliance program so well? Or because your training program only tests on the easy stuff? Think about it.
Enter the CCO Certification Question
Back to my compliance officer friend. He agreed with my point about training focused on roles rather than law and he saw the logic in allowing third parties to test out of training. “But I still wouldn’t do it,” he said immediately after that.
Well, why not?
“If I allow testing out and my company then gets in trouble, would I get in trouble as the compliance officer who allowed this?,” he asked.
There it is: fear of CCO liability.
We should note here that my compliance officer friend works at a large organization that is no stranger to FCPA enforcement and compliance monitors. He is a fairly senior compliance executive at his company but not the chief compliance officer, who is still a rung or two higher up the ladder. My friend thought that would figure into a CCO’s thinking, too.
For example, if a senior compliance manager is in charge of training and decides to allow testing out in some circumstances, would the chief compliance officer trust that decision? Because at a Fortune 500 company, it’s quite plausible that the CCO has delegated oversight of compliance training to that junior executive — but the CCO would, ultimately, be the one facing tough questions during an FCPA investigation. So how would that work?
“How liable is the CCO? How liable am I? How liable are the regional compliance officers who might know we’re doing this, but maybe don’t agree? What if those regional officers think this is a dumb idea and don’t do it?” my friend said.
As my friend kept going down his thought train, I realized I’d traveled this route before. These fears of liability are exactly what accounting and finance functions went through nearly 20 years ago in the early days of SOX compliance.
CFOs didn’t want the personal liability of certifying corporate financial statements without rock-solid assurance that those numbers were right. Soon enough, companies adopted the practice of sub-certifications from the controller, the assistant VP of finance, departmental accounting officers, and further down the line.
Compliance functions might be headed down the same road, if the Justice Department continues with its new policy of requiring CCOs to certify the effectiveness of their compliance programs as part of corporate misconduct settlements.
Let’s keep going with the testing-out issue. If your company is under a compliance monitor, no sane compliance professional would allow testing out of training. (“Zero chance,” my friend said.) The only time you might consider allowing employees to test out would be after your monitorship ends.
Play that scenario out, however. If your company then runs into FCPA trouble again, and the Justice Department sees that the only reason you decided to allow testing out was that your monitorship ended — well, that looks terrible. So why allow it at all?
“This is one of those ideas that sounds good — it’s proportionate, it’s reasonable — and then you get into trouble,” my friend said. “Suddenly you feel extremely exposed, because the optics of it look awful.”
I’m not sure what the best answer is here; if you have thoughts, please share them at [email protected].
What is clear is that once we start adding the concerns of compliance officers certifying the effectiveness of their programs, even simple questions suddenly become much, much more difficult